hirschmann and tofino · •salt river project scada hack •maroochy shire sewage spill...

Copyright Belden 2013

Hirschmann and Tofino Implementing Security

Sven Burkard

Industrial Solution Manager [email protected] or 717.491.1770


Where network failures occur…

Source: Datacom, Network Management Special

Network Reliability in the OSI Model

8 %

10 %

35 %

25 %

12 %

7 %

3 %

Physical

Data Link

Network

Transport

Session

Presentation

Application

3

How Belden mitigates this…

Cable

Switches

Routers &

Firewalls

Deep-Packet

Inspection


ICS and SCADA

Security

Are you at risk?

5


• Salt River Project SCADA Hack

• Maroochy Shire Sewage Spill

• Software Flaw Makes MA Water Undrinkable

• Trojan/Keylogger on Ontario Water SCADA System

• Viruses Found on Auzzie SCADA Laptops

• Audit/Blaster Causes Water SCADA Crash

• DoS attack on water system via Korean telecom

• Penetration of California irrigation district wastewater

treatment plant SCADA.

• SCADA system tagged with message, "I enter in your

server like you in Iraq."

Security Incidents in the Water Industry

Source: Repository of Industrial Security Incident (RISI) Database 6


• Electronic Sabotage of Venezuela Oil Operations

• CIA Trojan Causes Siberian Gas Pipeline Explosion

• Anti-Virus Software Prevents Boiler Safety Shutdown

• Slammer Infected Laptop Shuts Down DCS

• Virus Infection of Operator Training Simulator

• Electronic Sabotage of Gas Processing Plant

• Slammer Impacts Offshore Platforms

• SQL Slammer Impacts Drill Site

• Code Red Worm Defaces Automation Web Pages

• Penetration Test Locks-Up Gas SCADA System

• Contractor Laptop Infects Control System

Security Incidents in the Oil Industry



• IP Address Change Shuts Down Chemical Plant

• Hacker Changes Chemical Plant Set Points via

Modem

• Nachi Worm on Advanced Process Control

Servers

• SCADA Attack on Plant of Chemical Company

• Contractor Accidentally Connects to Remote PLC

• Sasser Causes Loss of View in Chemical Plant

• Infected New HMI Infects Chemical Plant DCS

• Blaster Worm Infects Chemical Plant

Security Incidents in the Chemical Industry



• Slammer Infects Control Central LAN via VPN

• Slammer Causes Loss of Comms to Substations

• Slammer Infects Ohio Nuclear Plant SPDS

• Iranian Hackers Attempt to Disrupt Israel Power

System

• Utility SCADA System Attacked

• Virus Attacks a European Utility

• Facility Cyber Attacks Reported by Asian Utility

• E-Tag Forgery Incident in Power PSE

• Power Plant Security Details Leaked on Internet

Security Incidents in the Power Industry



Stuxnet Had Many Paths to its

Victim PLCs


Some Lessons Learned

•A modern ICS or SCADA system is highly

complex and interconnected

•Multiple potential pathways exist from the outside

world to the process controllers

•Assuming an air-gap between ICS and corporate

networks is unrealistic

•Focusing security efforts on a few obvious

pathways (such as USB storage drives or the

Enterprise/ICS firewall) is a flawed defense


Cyber Security Incident Types

© 2011 Security Incidents Organization

External

Hacker

Software or

Device Flaw

Human

Error

Malware

Infection

Disgruntled

Employee

12


• January 2001: Oil pipeline shut down for 6 hours after

software is accidently uploaded to a PLC on the plant

network instead of test network

• August 2005: 13 Chrysler auto plants were shut down by

a simple Internet worm; 50,000 workers stop work for 1

hour while malware removed

• August 2006: Operators at the Browns Ferry nuclear

power plant forced to “scram” the reactor after cooling

drive controllers crashed due to “excessive network

traffic”

Typical ICS Cyber Security Incidents

13


• “Soft” Targets

• PCs run 24x7 without security updates or even

antivirus

• Controllers are optimized for real-time I/O, not for

robust networking connections

• Multiple Network Entry Points

• The majority of cyber security incidents originate from

secondary points of entry to the network

• USB keys, maintenance connections, laptops, etc.

• Poor Network Segmentation

• Many control networks are “wide-open” with no

isolation between different sub-systems

• As a result problems spread rapidly through the

network

Security Issues in Control Networks

14

Copyright Belden 2013 15


Five Important Differences

IT and SCADA

#1 - Differing Risk Management Goals

#2 - Differing Performance Requirements

#3 - Differing Reliability Requirements

#4 - “Unusual” Operating Systems and Applications

#5 - Differing Security Architectures

•Problems occur because assumptions that are

valid in the IT world may not be valid on the plant

floor

17


Why is SCADA Security a Challenge?

“Why not just apply the already developed

practices and technologies from existing

Information Technology security to plant floor

security - isn't that good enough to solve the

problem?”

Cisco Researcher

July 2002

18


Why is SCADA Security a Challenge?

“None of this would be a problem if those █████

plant floor people just used proper security policies –

what █████ is wrong with them?”

IT Manager after a Security Incident

19


Differing Security Focus

• IT…. Privacy First - “Protect the Data”

•SCADA/ICS… Safety First - “Protect the Process”

Priority IT SCADA/ICS

#1 Confidentiality Availability

#2 Integrity Integrity

#3 Availability Confidentiality

20


• Cost Savings

• Reduced down time and maintenance costs

• Improved productivity

• Enhanced business continuity

• Enhanced Security and Safety

• Improved safety for the plant, employees and

community

• Improved defense against malicious attacks

• Simplified Regulatory and Standards Compliance

• FERC / NERC CIP

• ISA/IEC-62443 (formerly ISA-99)

• More to Come…

Why is Cyber Security Important?

21


7 Steps to ICS and

SCADA Security

22


Step 1 – Assess Existing Systems

•Security starts with understanding the risks that

control system security (or insecurity) can have on

a business

• Determine threats that pose a danger to the business

• Rank these risks

• Lets companies prioritize their security dollars and

effort.

•Don’t throw money into a solution for a minor risk,

and leave more serious risks unaddressed

•Consider 3rd-party/independent industrial cyber-

security firms (www.exida.com), for risk assessment

and actions needed

23


Example Risk Analysis at Oil Refinery

Event Vulnerability

Possible Threat

Source

Skill Level

Required Potential Consequence Severity Likelihood Risk Release of

hazardous

product

Manipulate control

system

Organized Crime,

Activist

Intermediate Major Injury

Complaints or Local Community

Impact

Medium Low Low

Disable/manipulate

emergency

shutdown

Terrorist, Organized

Crime, Activist

High Fatality or Major Community

Incident

High Low Medium

Process

reactivity

incident

Manipulate control

system

Domestic or Foreign

Terrorist,

Disgruntled

Employee

Intermediate Lost Workday or Major Injury

Complaints or Local Community

Impact

Medium Low Low

Disable/manipulate

emergency

shutdown

Domestic or Foreign

Terrorist

High Fatality or Major Community

Incident

High Very Low Medium

Process

shutdown

Trip emergency

shutdown

Malware, Novice

Hacker

Low Shutdown > 6 Hours Medium High High

Cause Loss of View

of SIS

Malware, Novice

Hacker

Low Shutdown > 6 Hours Medium High High

Manipulate control

system

Hacker, Disgruntled

Employee

Intermediate Shutdown > 6 Hours Medium Medium Medium

Disable PCN

communications

Malware, Novice

Hacker

Low Shutdown < 6 Hours Low High Medium

Spoof operators Hacker, Disgruntled

Employee

Intermediate Shutdown < 6 Hours Low Medium Low

Environmental

spill

Manipulate control

system

Activist Intermediate Citation by Local Agency Medium Low Low

Mislead operators Activist Intermediate Citation by Local Agency Medium Low Low

24


Step 2 – Document Policies & Procedures

•Start With Policy, Not Technology

•Should be technology and architecture

independent

•Do not include the implementing procedures and processes

•Leave the details of specific technologies and how to implement them for later

Security policy outlines what you want to achieve, NOT how to do it

25


Step 3 – Train Personnel & Contractors

•Ensure personnel are aware of the

existence and importance of these

materials

•First conduct an awareness program

•Second is a staff training program that

informs employees:

•How to be secure

•What their roles and responsibilities are

•What to do if they suspect there is a security

breach

26


Step 4 – Design a Secure Control System

Architecture

• A core concept in the ISA/IEC 62443.02.01

security standard (Formerly ISA-99) is known

as “Zones and Conduits”

• ICS networks divided into layers or zones

based on control function

• Separate zones allow a “defense in depth”

strategy

27


Control

Network

External

NetworkPLCs

Office

Network

Servers

Internet

IT Firewall

Enterprise

Workstations

HMI Stations

Plant

Network

Contractor Wireless Dial-up

IT Firewall

Wireless

Engineering

StationsServers

PLCs Remote

Diagnostics

Enterprise

Servers

Typical Control Network Architecture

28


Control

Network

External

NetworkPLCs

Office

Network

Servers

Internet

IT Firewall

Enterprise

Workstations

HMI Stations

Plant

Network


IT Firewall

Wireless

Engineering

StationsServers

PLCs Remote

Diagnostics

Enterprise

Servers

Typical Control Network Architecture

29


•We can’t just install a firewall at the edge of

the network and forget about security.

• The bad guys will eventually get in

• Many problems originate inside the plant network

•We must harden the plant floor.

•We need Defense in Depth.

A Perimeter Defense is Not Enough

We’re crunchy on the Outside - Soft in the

Middle

30


Security Zone Definition

• “Security zone: grouping of logical or physical

assets that share common security

requirements” [ANSI/ISA-62443.02.01–2009 -

3.2.116]

•A zone has a clearly defined border (either

logical or physical), which is the boundary

between included and excluded elements

PLC Zone HMI Zone

31


Conduits

•A conduit is a path for the flow of data

between two zones

•Can provide the security functions that allow

different zones to communicate securely

•Any communications between zones must

have a conduit

Conduit

PLC Zone HMI Zone

32


Using Zones: An Example Oil Refinery

33


Specifying the Zones

34


Defining the Conduits

35


Step 5 – Control Access to the System

•Next step is to control access to assets within

those zones

• Important to control both physical and logical

access

• Identifying who and what should have access to

what resources:

• What privileges?

• How that should be enforced?

• What technology should be used?

•This is the installation and commissioning phase

37


Conduit Deep Packet Inspection


Control

Network

External

NetworkPLCs

Office

Network

Servers

Internet

IT Firewall

Enterprise

Workstations

HMI Stations

Plant

Network


IT Firewall

Wireless

Engineering

StationsServers

PLCs Remote

Diagnostics

Enterprise

Servers

Zones and Conduits provide

Defense in Depth

Control

Network

External

NetworkPLCs

Office

Network

Servers

Internet

IT Firewall

Enterprise

Workstations

HMI Stations

Plant

Network


IT Firewall

Wireless

Engineering

StationsServers

PLCs Remote

Diagnostics

Enterprise

Servers

39


Control

Network

External

NetworkPLCs

Office

Network

Servers

Internet

IT Firewall

Enterprise

Workstations

HMI Stations

Plant

Network


IT Firewall

Wireless

Engineering

StationsServers

PLCs Remote

Diagnostics

Enterprise

Servers


Defense in Depth

40


Control

Network

External

NetworkPLCs

Office

Network

Servers

Internet

IT Firewall

Enterprise

Workstations

HMI Stations

Plant

Network


IT Firewall

Wireless

Engineering

StationsServers

PLCs Remote

Diagnostics

Enterprise

Servers


Defense in Depth

41


Step 6 – Harden the Components

of the System

•Hardening means locking down the

functionality of the various components in your

system to prevent unauthorized access or

changes, remove unnecessary functions or

features, and patch any known vulnerabilities.

•Especially important in modern ICS which

utilize commercial off-the-shelf (COTS)

technology.

• Includes patch management, AV deployment,

shutting down unneeded services

42


Step 7 – Monitor & Maintain

System Security

•Security is a lifestyle, not a goal

•Maintaining security involves activities

such as:

•Updating antivirus signatures and white lists

• Installing security patches

•Monitoring for suspicious activity

• Periodically testing and assessing the system

43


Expectations, responsibilities and

opportunities for the Control

Engineer and System Integrator

44


Expectations

•Not infecting the control system through bad

staff practices:

• Poor USB Key/CD/DVD handling

• Poor laptop security practices

• Poor remote access security practices

• Inadequate staff training

•Understanding and compliance to current

security standards like ISA/IEC 62443 and

NERC CIP

45


Responsibilities

•Not designing/installing an insecure system

•Not making a system less secure through

upgrades and changes

•Meeting security practice requirements as

defined in relevant standards

•Meeting record-keeping requirements as

defined in relevant standards

46


Opportunities – The Assessment Step

• Involves analyzing a new or existing system

to determine the security threats and risks

• Audits Risk and Threat Analysis

• Asset inventories

• Network and communications reviews

• Software/platform reviews

• Staff competency reviews

47


Opportunities – The Design Step

• Involves designing a system architecture

design

• Creating a zone and conduit strategy

• Network architecture design

• Network system and components selection

• Prioritization based on risk

48


Opportunities – The Implementation Steps

• Implementing the system architecture and

required security controls

• Restructuring of the network (if required)

• Security control technology deployment and

commissioning

•Equipment hardening

•Testing and validation

49


Opportunities – The Maintain Step

•Maintaining the security targets through

periodic assessments and effective

management processes.

• System reviews

• Threat landscape reviews

• Staff upgrading

• Change Management process reviews

• Continuous monitoring services

50


Summary

•The world of control systems has

changed since Stuxnet

• ISC/SCADA Security is not the same as

IT Security

•Asset owners need their SIs to support

their security programs

•Use ISA/IEC-62443 as a roadmap to

deploying a security program

51


New Standards and

Regulations in Control

System Security

52


Government Efforts and Regulations

•Department of Homeland Security (DHS)

• 6 CFR part 27: Chemical Facility Anti-Terrorism

Standards (CFATS)

• National Cyber Security Division

•Department of Energy

• Federal Energy Regulatory Commission (FERC)

– 18 CFR Part 40, Order 706 (mandates NERC CIPs 002-009)

•Nuclear Regulatory Commission (NRC)

• 10 CFR 73.54 Cyber Security Rule (2009)

• RG 5.71

•National Institute of Standards and Testing (NIST)

• SP800-82 Guide to Industrial Control Systems (ICS)

Security

53


New Standards in the ICS Environment

• International Society for Automation (ISA)

• ISA99/62443, Industrial Automation and Control System

(IACS) Security

• International Electrotechnical Commission (IEC)

• IEC 62443 standards (equivalent to ISA 99)

• International Instrument Users' Association (WIB)

• M 2784-X-10 Process Control Domain Security

Requirements for Vendors

• ISASecure

• Embedded Device Security Assurance Certification

54


Industry Specific Guidance

• American Petroleum Institute (API)

– API Standard 1164 - SCADA Security

• American Chemistry Council (ACC)

• ChemITC™ Chemical Sector Cyber Security Program

– Guidance for Addressing Cyber Security in the Chemical

Industry Version 3.0

• North-American Electric Reliability Council (NERC)

– Critical Infrastructure Protection (CIP) 002 – 009

• Department of Homeland Security

– Chemical Facility Anti-terrorism Standards (CFATS)

– Risk-based Performance Standards (RBPS) (RBPS 8)

55


Active Hardware


Product Overview in Short-form Catalog

57


Securing Physical

Access

58


Web Access

• By default, the web interface of the switch is enabled.

You have the option to either disable this access or to

configure it to use a more secure connection.

• HTTP (Hyper Text Transfer Protocol – TCP Port 80)

• HTTPS (Hyper Text Transfer Protocol Secure – TCP

Port 443) 59


HiDiscovery Access

• IP addressing tool

• Uses MAC addresses to ID

• Useful if installed assigned DHCP IP address

• The red pencil indicates Read-Write Access.

• The glasses indicates Read-Only access. 60


HiDiscovery Access

• In a secured environment, you may want to

designate the switch as being read-only or not

visible at all via the HiDiscovery program.

61


Securing Empty Ports

• Good security practices include the disabling of

unused ports to prevent unauthorized

connections to empty ports on the switch.

62


Monitoring Connected Ports

• You can also use a SNMP management

application such as Industrial HiVision to monitor

the connection status of your infrastructure ports

in your network

63


MAC Based Port Security

• MAC based filter on a per port basis allows only the

authorized MAC address to forward traffic from the

given port.

• Up to 10 MAC addresses listed per port or you can

use a range of MAC addresses that you wish to allow.

64


IP Based Port Security

• IP based filter on a per port basis.

• IP-Based Port Security internally relies on MAC-

Based Port Security. Principle of operation: When

you configure the function, the device translates

the entered source IP address into the respective

MAC address.

65


Placing Network Terminations in Your Hands


Modular design MIPP

6 SC-Duplex Module 12 LC-Duplex Double Module 4 RJ45 Keystone Module

Housing

Modules

67


Alarming and

Notification

68


Industrial HiVision Network Management

and Visualization Software

• Rapid deployment with multi-device config

• Graphical interface

• Network views incl. unmanaged and WLAN

• Auto-topology discovery

• Event log

• Event handling

• Asset management

• Client / Server

• ActiveX control

• SCADA/OPC server

• Flexible licensing

Network Management Software

69


Belden’s Unique Position

• End-to-end Network Solution • Wired and wireless

• Active networking products

• Cable and connectors

• Cable management

• Software

• Services

• One Face

• One Source

• All Globally

74


Thank you!

Merci beaucoup!

Obrigado !

Muchas gracias!

Toa chie!

Domo arigato!

Danke schön!

75

hirschmann and tofino · •salt river project scada hack •maroochy shire sewage spill...

Documents